@pleri/olam-cli 0.1.125 → 0.1.127

package/dist/lib/world-mcp-register.d.ts

@@ -0,0 +1,98 @@
+/**
+ * In-world MCP registration helper.
+ *
+ * After `olam create` spawns a fresh world container, we register the
+ * agentmemory MCP server inside that world's claude config so the
+ * in-world claude session reaches the host-side agent-memory service
+ * without manual `claude mcp add` from the operator.
+ *
+ * Architecture:
+ *
+ *   host           docker exec               world container
+ *   ----           ----------               ---------------
+ *   olam create  ─►   docker exec     ─►    claude mcp add agentmemory
+ *                                               --scope user
+ *                                               --env AGENTMEMORY_URL=...
+ *                                               --env AGENTMEMORY_SECRET=...
+ *                                               -- agentmemory-mcp
+ *
+ * The `agentmemory-mcp` bin is pre-baked into the devbox image (B2), so
+ * there's no `npx -y` cold-start at first claude invocation (T6).
+ *
+ * Idempotency: re-running against an already-registered world is a noop.
+ * We detect via `claude mcp list` exit code + stderr signature (same
+ * "No <scope> MCP server found" pattern reused from the host-side
+ * `olam memory uninstall` helper).
+ *
+ * Graceful skip: when the world wasn't spawned with AGENTMEMORY_* env
+ * (because the host memory service was absent at spawn time per B1),
+ * we skip registration with an informative log. The world keeps working
+ * — the @agentmemory/mcp shim falls back to local InMemoryKV.
+ *
+ * Plan reference: docs/plans/olam-agent-memory-distributed/phase-b-tasks.md B3
+ */
+import { type SpawnSyncReturns } from 'node:child_process';
+/** Inject points for tests. */
+export interface DockerExecDeps {
+    /** Wrap spawnSync so tests can stub claude/docker calls. */
+    spawn: (cmd: string, args: string[], opts: {
+        encoding: 'utf8';
+        stdio: ['ignore', 'pipe', 'pipe'];
+    }) => SpawnSyncReturns<string>;
+    /** Optional logger; defaults to console.log. */
+    log?: (msg: string) => void;
+}
+export declare const DEFAULT_DOCKER_EXEC_DEPS: DockerExecDeps;
+/**
+ * Result shape — `outcome` is the load-bearing field. Callers use it to
+ * decide whether to print a success line vs. a graceful-skip notice.
+ */
+export type RegisterOutcome = {
+    outcome: 'registered';
+    scope: 'user';
+} | {
+    outcome: 'already-registered';
+    scope: 'user';
+} | {
+    outcome: 'skipped-no-env';
+    reason: string;
+} | {
+    outcome: 'failed';
+    rc: number;
+    detail: string;
+};
+export interface RegisterAgentMemoryMcpOpts {
+    /** Full container name, e.g. `olam-<world-id>-devbox`. */
+    containerName: string;
+    /** The AGENTMEMORY_URL value that was injected at world spawn (B1). */
+    agentmemoryUrl: string;
+    /** The AGENTMEMORY_SECRET value that was injected at world spawn (B1). */
+    agentmemorySecret: string;
+}
+/**
+ * Probe whether `agentmemory` is already registered inside the world's
+ * claude. Uses `claude mcp list` which prints a structured list; we
+ * just look for the name in the output. Returns:
+ *   - `'present'`   — already registered (idempotent skip path)
+ *   - `'absent'`    — not registered yet (proceed to add)
+ *   - `'unknown'`   — `claude mcp list` failed for any reason; we don't
+ *                     pretend to know the state, caller decides.
+ */
+export declare function probeMcpListed(containerName: string, deps: DockerExecDeps): 'present' | 'absent' | 'unknown';
+/**
+ * Register the agentmemory MCP server inside a world container.
+ *
+ * - Skips silently when `agentmemorySecret` is empty (the world was
+ *   spawned without B1's env injection because the host memory service
+ *   was absent at spawn time).
+ * - Skips idempotently when `claude mcp list` already shows the server.
+ * - Otherwise shells to `docker exec <world> claude mcp add agentmemory
+ *   --scope user --env ... -- agentmemory-mcp`.
+ *
+ * The bearer secret transits as an argv element of the spawned `claude`
+ * process inside the container (same shape as the host-side
+ * `olam memory install`). Documented in the operator-facing
+ * docs/architecture/agent-memory.md security model.
+ */
+export declare function registerAgentMemoryMcp(opts: RegisterAgentMemoryMcpOpts, deps?: DockerExecDeps): RegisterOutcome;
+//# sourceMappingURL=world-mcp-register.d.ts.map

package/dist/lib/world-mcp-register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"world-mcp-register.d.ts","sourceRoot":"","sources":["../../src/lib/world-mcp-register.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAa,KAAK,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtE,+BAA+B;AAC/B,MAAM,WAAW,cAAc;IAC7B,4DAA4D;IAC5D,KAAK,EAAE,CACL,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EAAE,EACd,IAAI,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,KAC1D,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC9B,gDAAgD;IAChD,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,wBAAwB,EAAE,cAGtC,CAAC;AAKF;;;GAGG;AACH,MAAM,MAAM,eAAe,GACvB;IAAE,OAAO,EAAE,YAAY,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACxC;IAAE,OAAO,EAAE,oBAAoB,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAChD;IAAE,OAAO,EAAE,gBAAgB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC7C;IAAE,OAAO,EAAE,QAAQ,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtD,MAAM,WAAW,0BAA0B;IACzC,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,uEAAuE;IACvE,cAAc,EAAE,MAAM,CAAC;IACvB,0EAA0E;IAC1E,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE,cAAc,GACnB,SAAS,GAAG,QAAQ,GAAG,SAAS,CAYlC;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,0BAA0B,EAChC,IAAI,GAAE,cAAyC,GAC9C,eAAe,CAoDjB"}

package/dist/lib/world-mcp-register.js

@@ -0,0 +1,117 @@
+/**
+ * In-world MCP registration helper.
+ *
+ * After `olam create` spawns a fresh world container, we register the
+ * agentmemory MCP server inside that world's claude config so the
+ * in-world claude session reaches the host-side agent-memory service
+ * without manual `claude mcp add` from the operator.
+ *
+ * Architecture:
+ *
+ *   host           docker exec               world container
+ *   ----           ----------               ---------------
+ *   olam create  ─►   docker exec     ─►    claude mcp add agentmemory
+ *                                               --scope user
+ *                                               --env AGENTMEMORY_URL=...
+ *                                               --env AGENTMEMORY_SECRET=...
+ *                                               -- agentmemory-mcp
+ *
+ * The `agentmemory-mcp` bin is pre-baked into the devbox image (B2), so
+ * there's no `npx -y` cold-start at first claude invocation (T6).
+ *
+ * Idempotency: re-running against an already-registered world is a noop.
+ * We detect via `claude mcp list` exit code + stderr signature (same
+ * "No <scope> MCP server found" pattern reused from the host-side
+ * `olam memory uninstall` helper).
+ *
+ * Graceful skip: when the world wasn't spawned with AGENTMEMORY_* env
+ * (because the host memory service was absent at spawn time per B1),
+ * we skip registration with an informative log. The world keeps working
+ * — the @agentmemory/mcp shim falls back to local InMemoryKV.
+ *
+ * Plan reference: docs/plans/olam-agent-memory-distributed/phase-b-tasks.md B3
+ */
+import { spawnSync } from 'node:child_process';
+export const DEFAULT_DOCKER_EXEC_DEPS = {
+    spawn: spawnSync,
+    log: (msg) => console.log(msg),
+};
+const MCP_NAME = 'agentmemory';
+const MCP_BIN = 'agentmemory-mcp';
+/**
+ * Probe whether `agentmemory` is already registered inside the world's
+ * claude. Uses `claude mcp list` which prints a structured list; we
+ * just look for the name in the output. Returns:
+ *   - `'present'`   — already registered (idempotent skip path)
+ *   - `'absent'`    — not registered yet (proceed to add)
+ *   - `'unknown'`   — `claude mcp list` failed for any reason; we don't
+ *                     pretend to know the state, caller decides.
+ */
+export function probeMcpListed(containerName, deps) {
+    const result = deps.spawn('docker', ['exec', containerName, 'claude', 'mcp', 'list'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] });
+    if (result.status !== 0)
+        return 'unknown';
+    const combined = `${result.stdout ?? ''}\n${result.stderr ?? ''}`;
+    // `claude mcp list` prints one row per registered server. Match on
+    // the name at the start of a line to avoid false positives from
+    // descriptive prose.
+    return new RegExp(`^\\s*${MCP_NAME}\\b`, 'm').test(combined) ? 'present' : 'absent';
+}
+/**
+ * Register the agentmemory MCP server inside a world container.
+ *
+ * - Skips silently when `agentmemorySecret` is empty (the world was
+ *   spawned without B1's env injection because the host memory service
+ *   was absent at spawn time).
+ * - Skips idempotently when `claude mcp list` already shows the server.
+ * - Otherwise shells to `docker exec <world> claude mcp add agentmemory
+ *   --scope user --env ... -- agentmemory-mcp`.
+ *
+ * The bearer secret transits as an argv element of the spawned `claude`
+ * process inside the container (same shape as the host-side
+ * `olam memory install`). Documented in the operator-facing
+ * docs/architecture/agent-memory.md security model.
+ */
+export function registerAgentMemoryMcp(opts, deps = DEFAULT_DOCKER_EXEC_DEPS) {
+    if (!opts.agentmemorySecret || opts.agentmemorySecret.length === 0) {
+        return {
+            outcome: 'skipped-no-env',
+            reason: 'world has no AGENTMEMORY_SECRET (memory service was absent or --skip-memory active at spawn time)',
+        };
+    }
+    const probe = probeMcpListed(opts.containerName, deps);
+    if (probe === 'present') {
+        return { outcome: 'already-registered', scope: 'user' };
+    }
+    const args = [
+        'exec',
+        opts.containerName,
+        'claude',
+        'mcp',
+        'add',
+        MCP_NAME,
+        '--scope',
+        'user',
+        '--env',
+        `AGENTMEMORY_URL=${opts.agentmemoryUrl}`,
+        '--env',
+        `AGENTMEMORY_SECRET=${opts.agentmemorySecret}`,
+        '--',
+        MCP_BIN,
+    ];
+    // Log without leaking the secret. Same redaction pattern as
+    // packages/cli/src/commands/memory/install.ts.
+    const redacted = args.map((a) => a.startsWith('AGENTMEMORY_SECRET=') ? 'AGENTMEMORY_SECRET=<redacted>' : a);
+    deps.log?.(`Wiring agent-memory MCP in ${opts.containerName}: docker ${redacted.join(' ')}`);
+    const result = deps.spawn('docker', args, {
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    if (result.status === 0) {
+        return { outcome: 'registered', scope: 'user' };
+    }
+    // Defensive redaction of any echo-back of the env value.
+    const detail = (result.stderr?.trim() || result.stdout?.trim() || '(no output)').replace(/AGENTMEMORY_SECRET=\S+/g, 'AGENTMEMORY_SECRET=<redacted>');
+    return { outcome: 'failed', rc: result.status ?? 1, detail };
+}
+//# sourceMappingURL=world-mcp-register.js.map

package/dist/lib/world-mcp-register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"world-mcp-register.js","sourceRoot":"","sources":["../../src/lib/world-mcp-register.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,SAAS,EAAyB,MAAM,oBAAoB,CAAC;AActE,MAAM,CAAC,MAAM,wBAAwB,GAAmB;IACtD,KAAK,EAAE,SAAS;IAChB,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;CAC/B,CAAC;AAEF,MAAM,QAAQ,GAAG,aAAa,CAAC;AAC/B,MAAM,OAAO,GAAG,iBAAiB,CAAC;AAqBlC;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAC5B,aAAqB,EACrB,IAAoB;IAEpB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,QAAQ,EACR,CAAC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,EAChD,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CACxD,CAAC;IACF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,KAAK,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;IAClE,mEAAmE;IACnE,gEAAgE;IAChE,qBAAqB;IACrB,OAAO,IAAI,MAAM,CAAC,QAAQ,QAAQ,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;AACtF,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAAgC,EAChC,OAAuB,wBAAwB;IAE/C,IAAI,CAAC,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnE,OAAO;YACL,OAAO,EAAE,gBAAgB;YACzB,MAAM,EACJ,mGAAmG;SACtG,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;IACvD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,IAAI,GAAG;QACX,MAAM;QACN,IAAI,CAAC,aAAa;QAClB,QAAQ;QACR,KAAK;QACL,KAAK;QACL,QAAQ;QACR,SAAS;QACT,MAAM;QACN,OAAO;QACP,mBAAmB,IAAI,CAAC,cAAc,EAAE;QACxC,OAAO;QACP,sBAAsB,IAAI,CAAC,iBAAiB,EAAE;QAC9C,IAAI;QACJ,OAAO;KACR,CAAC;IACF,4DAA4D;IAC5D,+CAA+C;IAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC9B,CAAC,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,CAAC,CAC1E,CAAC;IACF,IAAI,CAAC,GAAG,EAAE,CAAC,8BAA8B,IAAI,CAAC,aAAa,YAAY,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAE7F,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAClD,CAAC;IAED,yDAAyD;IACzD,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,aAAa,CAAC,CAAC,OAAO,CACtF,yBAAyB,EACzB,+BAA+B,CAChC,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;AAC/D,CAAC"}

package/dist/mcp-server.js

@@ -22413,7 +22413,32 @@ var serviceSchema = external_exports.object({
   // later in the seam. Statements are NOT exposed to operator-controlled
   // env variables — only the two whitelisted placeholders above. No shell
   // expansion, no DOLLAR-name expansion.
-  post_clone_sql: external_exports.record(external_exports.string().min(1), external_exports.array(external_exports.string().min(1))).optional()
+  post_clone_sql: external_exports.record(external_exports.string().min(1), external_exports.array(external_exports.string().min(1))).optional(),
+  // olam-hybrid-shared-postgres Phase B: per-seed env-var-name override.
+  //
+  // Phase A's F-6 derives the DB-name env var from the seed name using a
+  // POSTGRESQL_<PURPOSE>_DATABASE convention (atlas_common_seed →
+  // POSTGRESQL_COMMON_DATABASE). That works for atlas-core which uses
+  // POSTGRESQL_*-prefixed env vars throughout.
+  //
+  // Atlas-pay (and other future repos) use different env var names —
+  // e.g. ATLAS_PAY_DATABASE, not POSTGRESQL_PAY_DATABASE. This map lets
+  // a manifest declare the override explicitly:
+  //
+  //   services:
+  //     postgres:
+  //       seed_template:
+  //         - atlas_common_seed
+  //         - atlas_pay_seed
+  //       db_env_override:
+  //         atlas_pay_seed: ATLAS_PAY_DATABASE
+  //         # atlas_common_seed keeps F-6's default POSTGRESQL_COMMON_DATABASE
+  //
+  // Schema: Record<seed_template_name, env_var_name>. The env var name
+  // must be uppercase letters/digits/underscores ([A-Z][A-Z0-9_]*) — same
+  // shape as conventional shell env vars. F-6 honors the override when
+  // present; falls back to the derived default otherwise.
+  db_env_override: external_exports.record(external_exports.string().min(1), external_exports.string().regex(/^[A-Z][A-Z0-9_]*$/)).optional()
 }).passthrough();
 var deploySchema = external_exports.object({
   tags: external_exports.array(external_exports.string()).optional()
@@ -23218,6 +23243,18 @@ function readHostCpToken() {
     return "";
   }
 }
+function readMemorySecret() {
+  const fromEnv = process.env["OLAM_MEMORY_SECRET"];
+  if (fromEnv && fromEnv.length > 0)
+    return fromEnv;
+  const file = path7.join(os5.homedir(), ".olam", "memory-secret");
+  try {
+    return fs5.readFileSync(file, "utf-8").trim();
+  } catch {
+    return "";
+  }
+}
+var AGENTMEMORY_HOST_INTERNAL_URL = "http://host.docker.internal:3111";
 function sanitizeContainerName(name) {
   return name.replace(/[^a-zA-Z0-9_.-]/g, "-");
 }
@@ -23347,6 +23384,7 @@ var createWorldContainer = async (docker, worldId, worldName, image, env, resour
   const labels = olamLabels(worldId, worldName);
   const authSecret = readAuthSecret();
   const hostCpToken = readHostCpToken();
+  const memorySecret = readMemorySecret();
   const worldEnv = {
     OLAM_WORLD_ID: worldId,
     OLAM_WORLD_NAME: worldName,
@@ -23363,6 +23401,14 @@ var createWorldContainer = async (docker, worldId, worldName, image, env, resour
     OLAM_HOST_CP_URL: "http://host.docker.internal:19000",
     ...authSecret ? { OLAM_AUTH_SECRET: authSecret } : {},
     ...hostCpToken ? { OLAM_HOST_CP_TOKEN: hostCpToken } : {},
+    // Phase B1 — agent-memory wiring. Both vars are injected together
+    // (or neither): without a secret the URL is useless. The in-world
+    // @agentmemory/mcp shim (Phase B2/B3) reads these env vars to find
+    // the host's REST endpoint.
+    ...memorySecret ? {
+      AGENTMEMORY_URL: AGENTMEMORY_HOST_INTERNAL_URL,
+      AGENTMEMORY_SECRET: memorySecret
+    } : {},
     ...env
   };
   const envList = Object.entries(worldEnv).map(([k, v]) => `${k}=${v}`);
@@ -33231,6 +33277,7 @@ function applyPostgresNetworkOverrides(worldEnv, enrichedRepos, worldId) {
     if (worldId !== void 0) {
       assertSafeWorldId(worldId);
       const seedTemplates = /* @__PURE__ */ new Set();
+      const dbEnvOverride = {};
       for (const repo of enrichedRepos) {
         const pg = repo.manifest?.services?.["postgres"];
         const raw = pg?.seed_template;
@@ -33241,12 +33288,23 @@ function applyPostgresNetworkOverrides(worldEnv, enrichedRepos, worldId) {
             if (typeof s === "string")
               seedTemplates.add(s);
         }
+        if (pg?.db_env_override && typeof pg.db_env_override === "object") {
+          for (const [seedKey, envName] of Object.entries(pg.db_env_override)) {
+            if (typeof envName === "string" && envName.length > 0) {
+              dbEnvOverride[seedKey] = envName;
+            }
+          }
+        }
       }
       for (const seed of seedTemplates) {
-        const match = seed.match(/^atlas_([a-z][a-z0-9_]*?)_seed$/i);
-        if (match && match[1] !== void 0) {
-          const purpose = match[1].toUpperCase();
-          const envKey = `POSTGRESQL_${purpose}_DATABASE`;
+        let envKey = dbEnvOverride[seed];
+        if (envKey === void 0) {
+          const match = seed.match(/^atlas_([a-z][a-z0-9_]*?)_seed$/i);
+          if (match && match[1] !== void 0) {
+            envKey = `POSTGRESQL_${match[1].toUpperCase()}_DATABASE`;
+          }
+        }
+        if (envKey !== void 0) {
           worldEnv[envKey] = deriveWorldDbName(seed, worldId);
         }
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.125",
+  "version": "0.1.127",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"